-
Notifications
You must be signed in to change notification settings - Fork 258
160 lines (140 loc) · 4.79 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# Since we have multiple build targets, and the makefile that CodeQL would use in its autobuild
# step doesn't build everything, we need to manually add run the Go (and C++) build commands
#
# See:
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
#
# Additionally, see example CodeQL pipeline (in CodeQL repo):
# https://github.com/github/codeql/blob/0342b3eba242476cea815e601942021092d0bc10/.github/workflows/codeql-analysis.yml
name: "CodeQL"
on:
push:
branches: ["main", "release/*"]
pull_request:
branches: ["main", "release/*"]
paths-ignore:
- "**/*.md"
- "**/*.txt"
- "hack/**"
- "scripts/**"
- ".github/**"
- "!.github/workflows/codeql.yml"
schedule:
# run weekly, at midnight on Sunday
# minute, hour, day of month, month, day of week
- cron: "0 0 * * 0"
jobs:
analyze:
name: Analyze (${{ matrix.language }} - ${{ matrix.goos }})
runs-on: ubuntu-latest
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
# we want a matrix across the two GOOS options, not the product of all options
# ! update `targets` field if more binaries are added
include:
- goos: windows
language: go
targets: >-
cmd/containerd-shim-runhcs-v1,
cmd/device-util,
cmd/jobobject-util,
cmd/ncproxy,
cmd/runhcs,
cmd/shimdiag,
cmd/tar2ext4,
cmd/wclayer,
internal/tools/extendedtask,
internal/tools/grantvmgroupaccess,
internal/tools/networkagent,
internal/tools/securitypolicy,
internal/tools/uvmboot,
internal/tools/zapdir,
- goos: linux
language: go, c-cpp
targets: >-
cmd/gcs,
cmd/gcstools,
cmd/hooks/wait-paths,
cmd/tar2ext4,
internal/tools/policyenginesimulator,
internal/tools/securitypolicy,
internal/tools/snp-report,
steps:
# setup runner before initializing & running CodeQL
- name: Checkout
uses: actions/checkout@v4
with:
show-progress: false
- name: Install Go
uses: ./.github/actions/setup-go
with:
fill-module-cache: true
- name: CodeQL Initialize
uses: github/codeql-action/init@v3
with:
build-mode: manual
languages: ${{matrix.language}}
# build binaries
- name: Build go binaries
shell: pwsh
run: |
$targets = "${{ matrix.targets }}" -split ',' |
foreach { $_.Trim() } |
where { -not [string]::IsNullOrWhiteSpace($_) }
Write-Output "Targets: $targets"
foreach ( $t in $targets ) {
Write-Output "Build: $t"
go build "./$t" 2>&1
}
env:
GOOS: ${{ matrix.goos }}
- name: Build init and vsockexec
if: ${{ matrix.goos == 'linux' }}
run: make bin/vsockexec bin/init
# only upload results if the analysis fails
# otherwise, save the output and use `advanced-security/filter-sarif` to filter paths
- name: CodeQL Analyze
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
output: sarif-results
upload: failure-only
- name: Filter Go SARIF Results
uses: advanced-security/filter-sarif@v1
with:
patterns: |
+**/*.go
-**/*_test.go
-test/**/*.go
-vendor/**/*.go
input: sarif-results/go.sarif
output: sarif-results/go.sarif
- name: Filter C/C++ SARIF Results
uses: advanced-security/filter-sarif@v1
if: ${{ matrix.goos == 'linux' }}
with:
patterns: |
+**/*
-vendor/**/*
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results
- name: Upload SARIF Results as Build Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-results-${{ matrix.goos }}
path: sarif-results
retention-days: 1